Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #76

September 25, 2007

The first story in this issue, about the possible criminal failure of the DHS intrusion detection contract, is worth a few minutes of your time, because it illuminates fundamental failure at an agency that should know better. DHS isn't alone; some unscrupulous contractors are taking advantage of lax government oversight in security all across government to charge enormous amounts of money while systematically failing to do what is needed to actually secure the systems. Contractors claim they know the work is flawed but they are "only doing what their federal customers are requesting". Shame on them for accepting assignments they know to be impotent and failing to do the job that is needed to protect our nation's systems and secrets. This scandalous behavior has been going on for more than seven years, but it looks like it is finally going to stop. Chairmen Bennie Thompson and James Langevin (Chairmen of the House Homeland Security Committee and its Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, respectively) are investing enormous amounts of their time to find the failures and fix them. They both deserve the thanks of everyone who cares about effective cyber security.

How good are the courses? Here's what past attendees said: "An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life) "This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton) "You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

TOP OF THE NEWS

The FBI is investigating Unisys over allegations the company failed to detect cyber attacks on US Department of Homeland Security (DHS) computer systems. The investigation was prompted by a letter from the House Committee on Homeland Security, citing the "high and unacceptable" number of "cyber security incidents" experienced by DHS computer systems in fiscal years 2005 and 2006. The committee alleges that the intrusion protection devices placed on DHS systems by Unisys were improperly installed. Unisys refutes the allegations of improperly installed systems and maintains it reported cyber security incidents. Committee chairman Bennie Thompson (D-Miss.) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology chairman James R. Langevin ( D-R.I.) have also asked DHS Inspector General Richard Skinner to conduct an investigation. -http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/ AR2007092301471_pf.html -http://www.cio.com/article/140500/ FBI_Investigates_Unisys_Over_US_Government_Hack -http://www.govexec.com/story_page.cfm?articleid=38112&dcn=todaysnews-http://www.informationweek.com/shared/printableArticle.jhtml? articleID=202101028 [Editor's Note (Ullrich): Nobody will guaranty that a network is fully secured against any possible attack. However, this case may become interesting if it evolves into a meaningful discussion about security service level agreements. (Honan): Outsourcing the implementation or management of your security systems to a third party does not equate to outsourcing the responsibility for those systems. You need to implement proper checks and balances to ensure that your provider is providing the level of service you require. It will be interesting to see how the outcome of this case will impact on the outsourced security provider space. (Ranum): While they're all playing "blame the contractor," the truth is that government agencies have been allowed to become utterly de-skilled through overreliance on outsiders instead of actually knowing how to do anything. The fact that DHS is the agency nominally tagged with leading the US' cyber security efforts makes this whole comic opera a lot less funny. (Schultz): It is reasonable to expect events such as this one to occur more frequently over time. Security service providers are going to increasingly be held accountable for the results of the services that they provide. ]

Companies Still Not Taking Adequate Measures to Wipe Used Drives (September 21, 2007)

The percentage of used hard drives containing sensitive data has not changed much in the last two years. According to statistics from BT Group, 37 percent of second-hand hard drives still contain confidential information from their previous users. BT Group examined 350 hard drives bought in online auctions. Nineteen percent of the disks had sufficient data on them to identify the organization of origin, and 65 percent contained personally identifiable information. The report, which has yet to be released, also says that used drives are not highly reliable; 44 percent of the 133 disks purchased in the UK did not work -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038221&source=rss_topic17[Editor's Note (Ullrich): Wiping data takes time. Companies might be better served by destroying the drives vs. trying to resell them used. Its not worth the risk. ]

Number of Cyber Attacks is Down, But Severity is Up (September 21, 2007)

According to a study from the Computing Technology Industry Association (CompTIA), the incidence of cyber attacks has declined slightly over the last year, but the severity of those attacks has increased significantly. Of the 1,070 organizations responding to the survey, 66 percent did not report a security breach within the previous 12 months. Last year, that figure was 61.8 percent, and the year before, 42 percent. However, the organizations gave the attacks they did experience an average severity rating of 4.8 on a scale of 0 to 10; last year's average severity rating was 2.6. The largest portions of the costs involved in security breaches were impact on employee productivity and server and network downtime. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202100132 Summary: -http://www.comptia.org/sections/research/research%20docs/securitysummary407.pdf[Editor's Note (Ullrich): Modern malware becomes harder and harder to remove and detect. Once a system is infected, the damages very quickly escalate due to malware automation and counter measures taken against detection. The smaller number of attacks may very well reflect the difficulties in detecting these attacks vs. an actual decline. (Northcutt): These results are probably not correct, I think organizations with DHS as a case in point are simply losing the ability or desire to detect attacks. (Ranum: I don't think we should quote these numbers because they are meaningless and therefore deceptive. I just checked on CompTia's site - - the site producing the research - appears to simply use web-based surveys in which basically anyone can log in and fill it out. There are two horrible methodological flaws in doing this. First and foremost, it's a self-selected sample, which guarantees bias. You're not measuring "cyber attacks" you're measuring "what people who were bored enough to take a survey claimed about cyber attacks." Unless they used some different methodology for the survey (in which case they should explain it!) Secondly, there's no way of telling if the respondent actually has relevant information; for all we know the survey was taken by bored 12-year-olds mashing buttons at random. ]************************* Sponsored Links: ***************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

TJX Offers Settlement (September 24, 2007)

TJX Companies has made a settlement offer to address class action lawsuits brought in response to the massive security breach that was disclosed earlier this year. Under the terms of the offer, customers would be reimbursed for the cost of replacing their driver's licenses and would be provided with three years of credit monitoring. The settlement is subject to court approval. The company would also provide store vouchers if customers incurred losses as a result of the breach. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202101077-http://www.securityfocus.com/brief/594[Editor's Note (Schultz): TJX would be lucky to have its offer accepted, as the compensation it is offering is rather meager in comparison to the magnitude of the impact of its security breach on so many of its customers. ]

POLICY & LEGISLATION

Estonia Looking to Update Cyber Security Laws (September 17, 2007)

Estonian legislators are taking steps to amend the penal code to provide for more stringent punishments for cyber criminals. Estonian government and business websites came under attack last spring, which prompted the amendments. Current computer crime law in Estonia addresses crimes with personal and financial gain as their aim. Under the proposed laws, cyber crimes would be deemed acts of terrorism if their intents were the same as acts of physical terrorism. -http://www.baltictimes.com/news/articles/18815/

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Following orders from German courts, seven eDonkey servers inGermany were shut down. The removal of those servers means that approximately one-third of esDonkey's four million users will not have access to the filesharing network. eDonkey does not have a parent company; it is a loose organization with no apparent central control, so authorities decided to take aim at those operating the servers that enabled the eDonkey network. Injunctions against servers in France and the Netherlands have also been issued. -http://technology.timesonline.co.uk/tol/news/tech_and_web/article2504723.ece-http://www.heise.de/english/newsticker/news/96264

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Cross-Site Scripting Flaws in Google (September 24, 2007)

A trio of cross-site scripting flaws in Google applications could be exploited to steal data. A flaw in the polls application of Google Groups could allow attackers to steal messages and contacts from Gmail accounts. The second flaw lies in the Google search appliance and could be exploited to steal site login credentials and other sensitive information. The third vulnerability, which is in Google's Picasa photo organizer, could allow attackers to steal pictures by manipulating users into visiting specially crafted websites. -http://www.theregister.co.uk/2007/09/24/google_vulns_put_users_at_risk/print.html

Zero-Day PDF Flaw in Adobe Reader (September 21, 2007)

A zero-day, critical flaw in Adobe Acrobat Reader could be exploited with a maliciously crafted PDF file to take control of PCs. The person who found the flaw says he will not release proof of concept code until a fix is available. In the meantime, he advises users to refrain from opening PDF files. Adobe is investigating the issue. -http://www.theregister.co.uk/2007/09/21/pdf_peril/print.html-http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038099&source=NLT_SEC&nlid=38-http://www.eweek.com/article2/0,1895,2186101,00.asp[Editor's Note (Ullrich): Sadly, Adobe has done little to shed light on the issue of severity. Even without a patch available yet, I would hope a software company would provide clear guidance on severity and mitigating measures. (Frantzen): There is no such thing as a 0-day *vulnerability*. There are only 0-day exploits at best. The right term for a vulnerability is "new" or "unpatched", even "unconfirmed". The mitigation described is of no help as the alternative will be even worse. Going back to emailing word documents where the vulnerabilities are documented with exploits before they get patched? (Honan): Given the widespread use of the PDF file format for distributing files the potential impact of this problem should not be underestimated. Until more details are available or Adobe issues a patch I suggest talking to your senior management to highlight this problem. Based on that discussion mitigation steps such as blocking/quarantining emails with PDF attachments, preventing the downloading of PDF files and reinforcing to users not to click on PDF files can be implemented.):]

A critical heap-based buffer overflow flaw in OpenOffice could allow attackers to execute arbitrary code and gain unauthorized access to vulnerable systems. The flaw lies in the way some tags within Tiff images are processed. To exploit the flaw, attackers would need to trick users into opening maliciously crafted documents. The flaw affects OpenOffice version prior to 2.3; users are urged to upgrade to the most recent version. -http://www.vnunet.com/vnunet/news/2198910/openoffice-hit-highly-critical

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/